S0406: Gustuff
Analyst context for executives and security teams
Gustuff matters because it is Android mobile malware described by ATT&CK as designed to steal banking and virtual currency credentials. For leaders, the decision issue is not only malware blocking; it is whether mobile devices that access financial, identity, or business applications are governed, monitored, and recoverable when credential capture, hidden apps, anti-removal behavior, and mobile command-and-control are possible.
Executive priority
Prioritize Gustuff-related validation where Android devices are used for banking, crypto, privileged business access, MFA, customer support, or regulated workflows. Executives should ask whether the organization can prove mobile app inventory, risky permission use, accessibility abuse, device administrator abuse, mobile network visibility, and incident response procedures for credential theft scenarios. This object has no ATT&CK-provided detection guidance or tactics, so it should drive control assurance and telemetry gap review rather than assumptions of existing coverage.
Technical view
ATT&CK lists Gustuff on Android and relates it to obfuscation/software packing, keylogging, GUI input capture, security software discovery, system and network discovery, web-protocol communications, input injection through Android accessibility APIs, local data collection, hiding the app icon, preventing application removal, contact and SMS collection, and out-of-band data. SOC and IR teams should validate whether they can identify suspicious Android applications that request or abuse accessibility, device administrator, contacts, SMS, storage, or notification-related access; hide from the launcher; resist uninstall; communicate over HTTP/HTTPS; or use SMS/out-of-band channels. Static and dynamic mobile app analysis should account for packed or obfuscated payloads that may reduce signature-only effectiveness.
Likely telemetry
- Android/UEM/MDM device and application inventory, including package name, install source, install time, version, and visibility in the launcher
- Android permission, accessibility service, device administrator, notification access, contacts, SMS, and storage access state where available
- Mobile security or app-vetting results from static and dynamic analysis, especially indicators of packing, obfuscation, hidden icons, or anti-removal behavior
- Network telemetry for mobile device HTTP/HTTPS connections, DNS lookups, and unusual remote endpoints where collection is permitted
- SMS, notification, or out-of-band communication metadata where legally and technically available
Detection direction
- Because ATT&CK provides no official detection text for Gustuff, validate coverage through the related behaviors rather than the malware name alone.
- Tune for combinations of suspicious mobile behaviors: accessibility use plus input injection, credential-like prompts, SMS/contact access, hidden launcher icon, device administrator abuse, and outbound web-protocol communications.
- Review false positives carefully because legitimate accessibility tools, enterprise device management agents, messaging apps, and security products may request powerful permissions.
- Do not rely only on file signatures; the related software packing and obfuscation techniques indicate that static signatures may be insufficient without behavioral or dynamic analysis.
- Confirm mobile telemetry coverage for personally owned or unmanaged Android devices if they can access business systems; unmanaged devices are a likely blind spot for this class of behavior.
Mitigation priorities
- Start with mobile governance: require managed Android posture for access to sensitive business, financial, or identity resources where feasible.
- Restrict installation from untrusted sources and use mobile application vetting to identify packed, obfuscated, or over-permissioned applications.
- Limit and monitor high-risk Android capabilities, especially accessibility services, device administrator privileges, SMS, contacts, storage, and notification access.
- Prepare IR playbooks for suspected mobile credential theft, including device isolation, application removal or device wipe, credential reset, token revocation, and review of downstream account activity.
- Use least-privilege and strong identity controls so stolen mobile credentials have limited business impact; validate that MFA and session controls are not solely dependent on a potentially compromised device.
Analyst notes and limits
This take is based only on ATT&CK S0406 Gustuff fields and its supplied relationships. The object states Android as the platform and describes credential theft targeting banking and virtual currency users. The relationship set provides the strongest defensive context: credential/input capture, discovery, local/SMS/contact data access, web and out-of-band communications, obfuscation, hiding, and anti-removal behaviors.
ATT&CK does not provide official detection guidance, tactics, aliases, or labels for this object in the supplied data. The external Talos reference is listed, but no additional details from that report are used beyond the supplied reference metadata. Local mobile management, privacy constraints, device ownership model, and available telemetry will determine what can actually be detected or proven.
Gustuff
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406 | Obfuscated Files or Information | Gustuff obfuscated command information using a custom base85-based encoding.CitationTalos Gustuff Apr 2019 |
| Mobile | T1533 | Data from Local System | Gustuff can capture files and photos from the compromised device.CitationTalos Gustuff Apr 2019 |
| Mobile | T1418.001 | Security Software Discovery Sub-technique | Gustuff checks for antivirus software contained in a predefined list.CitationTalos Gustuff Apr 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Gustuff can intercept two-factor authentication codes transmitted via SMS.CitationTalos Gustuff Apr 2019 |
| Mobile | T1406.002 | Software Packing Sub-technique | Gustuff code is both obfuscated and packed with an FTT packer.CitationTalos Gustuff Apr 2019 |
| Mobile | T1636.003 | Contact List Sub-technique | Gustuff can collect the contact list.CitationTalos Gustuff Apr 2019 |
| Mobile | T1417.001 | Keylogging Sub-technique | Gustuff abuses accessibility features to intercept all interactions between a user and the device.CitationTalos Gustuff Apr 2019 |
| Mobile | T1422 | System Network Configuration Discovery | Gustuff gathers the device IMEI to send to the command and control server.CitationTalos Gustuff Apr 2019 |
| Mobile | T1644 | Out of Band Data | Gustuff can use SMS for command and control from a defined admin phone number.CitationTalos Gustuff Apr 2019 |
| Mobile | T1437.001 | Web Protocols Sub-technique | Gustuff communicates with the command and control server using HTTP requests.CitationTalos Gustuff Apr 2019 |
| Mobile | T1426 | System Information Discovery | Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.CitationTalos Gustuff Apr 2019 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay.CitationTalos Gustuff Apr 2019CitationGroup IB Gustuff Mar 2019 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Gustuff hides its icon after installation.CitationGroup IB Gustuff Mar 2019 |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | Gustuff may prevent application removal by abusing Android’s ` performGlobalAction(int)` API call. |
| Mobile | T1516 | Input Injection | Gustuff injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.CitationTalos Gustuff Apr 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1381fb872a4b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Gustuff Apr 2019
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
Open source URL -
[2]
mitre-attack S0406Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.